formbook | e1b4e5e0096f12b9ccd4ca5ca71f853a2af84dc98bb418d0243a1e70af9ac0bd | Triage

Sharing

General

Target

e1b4e5e0096f12b9ccd4ca5ca71f853a2af84dc98bb418d0243a1e70af9ac0bd
Size

557KB
Sample

241108-jlcn8a1kgn
MD5

9d6cb41f2ceafe1962985839f6d5535a
SHA1

524a528a739a450a014ba121ab6dd2d4b51e3f9e
SHA256

e1b4e5e0096f12b9ccd4ca5ca71f853a2af84dc98bb418d0243a1e70af9ac0bd
SHA512

8dfebc8136bc3d0ea24d9569d3f2019b2474c6a9770d02044b42a008f5c602bca77ab6f09b98c222719ca436da1c9cf550098508e9c2251c7fcb4dfd4d7f18e9
SSDEEP

12288:pcCjH60V9j6qGsMT89+VCR3t0HyqXvg8nYcqDRUm7skcQ8mMg9Kp:C6H6aG0R3gy4qDWmI1xlnp

Score

10^/10

formbook ae30 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ae30

Decoy

lili116.ru

apatitum.ru

broadbandterbaik.com

flrfteb.ru

xysklhgf.xyz

thevelvetkit.africa

zwelethugh.africa

imassageandstretchdance.com

laser3dstudio.com

efefplantation.buzz

cyberwisely.com

hulihuli.net

electrosertecnologia.com

golanglearn.club

cee4agency.com

bedicustomgraphicapparel.com

aim2fitness.com

greenarrow-advisors.com

lotadan.com

kgaming.dev

Targets

- Target
  
  234d425a3c85a27252fa477d05a387a30a6e248f1ea17b2e7fcaac13cb9c8db3.exe
- Size
  
  680KB
- MD5
  
  c2855f1c6721f12db295ec53b0b7de27
- SHA1
  
  1fd7d75d3f8a54f329ddba0ead08cc1479078dd2
- SHA256
  
  234d425a3c85a27252fa477d05a387a30a6e248f1ea17b2e7fcaac13cb9c8db3
- SHA512
  
  1812c8be95404ed1d4e5c26a75a0ef90d8d9f8366231c644ca7542331cb4fd0a7319ae01d669e30f64808028b84ed690c3f6abf9abc0eea0b797411927385558
- SSDEEP
  
  12288:vpdYkj8CFtxtIT2BenxiJC7vokQwpP2zk/fb3I3UTvJrDE6x:j9j8anIHGuT4kcEvq+
Score

10^/10

formbook ae30 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookae30discoveryexecutionratspywarestealertrojan

behavioral2

formbookae30discoveryexecutionratspywarestealertrojan